if (info.service_secret.empty())
error = "invalid key"; // Bad key?
else
- encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, blob.blob, error);
+ encode_encrypt_enc_bl(cct, ticket_info, info.service_secret, 10, blob.blob, error);
if (!error.empty()) {
ldout(cct, -1) << "cephx_build_service_ticket_blob failed with error "
<< error << dendl;
msg_a.session_key = info.session_key;
msg_a.validity = info.validity;
std::string error;
- if (encode_encrypt(cct, msg_a, principal_secret, reply, error)) {
+ if (encode_encrypt(cct, msg_a, principal_secret, 4, reply, error)) {
ldout(cct, -1) << "error encoding encrypted: " << error << dendl;
return false;
}
encode((__u8)should_encrypt_ticket, reply);
if (should_encrypt_ticket) {
- if (encode_encrypt(cct, service_ticket_bl, ticket_enc_key, reply, error)) {
+ if (encode_encrypt(cct, service_ticket_bl, ticket_enc_key, 5, reply, error)) {
ldout(cct, -1) << "error encoding encrypted ticket: " << error << dendl;
return false;
}
CephXServiceTicket msg_a;
std::string error;
- if (decode_decrypt(cct, msg_a, secret, indata, error)) {
+ if (decode_decrypt(cct, msg_a, secret, 4, indata, error)) {
ldout(cct, 0) << __func__ << " failed decode_decrypt, error is: " << error
<< dendl;
return false;
if (ticket_enc) {
ldout(cct, 10) << __func__ << " got encrypted ticket" << dendl;
std::string error;
- if (decode_decrypt(cct, service_ticket_bl, session_key, indata, error)) {
+ if (decode_decrypt(cct, service_ticket_bl, session_key, 5, indata, error)) {
ldout(cct, 10) << __func__ << " decode_decrypt failed "
<< "with " << error << dendl;
return false;
msg.nonce = a->nonce;
std::string error;
- if (encode_encrypt(cct, msg, session_key, a->bl, error)) {
+ if (encode_encrypt(cct, msg, session_key, 11, a->bl, error)) {
ldout(cct, 0) << "failed to encrypt authorizer: " << error << dendl;
delete a;
return 0;
}
std::string error;
- decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket_blob.blob, error);
+ decode_decrypt_enc_bl(cct, ticket_info, service_secret, 10, ticket_blob.blob, error);
if (!error.empty()) {
ldout(cct, 0) << "ceph_decode_ticket could not decrypt ticket info. error:"
<< error << dendl;
if (service_secret.empty())
error = "invalid key"; // Bad key?
else
- decode_decrypt_enc_bl(cct, ticket_info, service_secret, ticket.blob, error);
+ decode_decrypt_enc_bl(cct, ticket_info, service_secret, 10, ticket.blob, error);
if (!error.empty()) {
ldout(cct, 0) << __func__ << ": could not decrypt ticket info: " << error << dendl;
return false;
CephXAuthorize auth_msg;
if (ticket_info.session_key.empty()) {
error = "session key is invalid";
- } else if (!decode_decrypt(cct, auth_msg, ticket_info.session_key, indata, error)) {
+ } else if (!decode_decrypt(cct, auth_msg, ticket_info.session_key, 11, indata, error)) {
error = "";
}
if (!error.empty()) {
ldout(cct,10) << __func__ << ": adding server_challenge " << c->server_challenge
<< dendl;
- encode_encrypt_enc_bl(cct, *c, ticket_info.session_key, *reply_bl, error);
+ encode_encrypt_enc_bl(cct, *c, ticket_info.session_key, 13, *reply_bl, error);
if (!error.empty()) {
ldout(cct, 0) << __func__ << ": encode_encrypt error: " << error << dendl;
return false;
}
reply.connection_secret = *connection_secret;
}
- if (encode_encrypt(cct, reply, ticket_info.session_key, *reply_bl, error)) {
+ if (encode_encrypt(cct, reply, ticket_info.session_key, 15, *reply_bl, error)) {
ldout(cct, 10) << "verify_authorizer: encode_encrypt error: " << error << dendl;
return false;
}
CephXAuthorizeReply reply;
std::string error;
- if (decode_decrypt(cct, reply, session_key, indata, error)) {
+ if (decode_decrypt(cct, reply, session_key, 15, indata, error)) {
ldout(cct, 0) << "verify_reply couldn't decrypt with error: " << error << dendl;
return false;
}
if (!p.end()) {
std::string error;
CephXAuthorizeChallenge ch{};
- decode_decrypt_enc_bl(cct, ch, session_key, challenge, error);
+ decode_decrypt_enc_bl(cct, ch, session_key, 13, challenge, error);
if (!error.empty()) {
ldout(cct, 0) << "failed to decrypt challenge (" << challenge.length() << " bytes): "
<< error << dendl;
}
std::string error;
- if (encode_encrypt(cct, msg, session_key, bl, error)) {
+ if (encode_encrypt(cct, msg, session_key, 11, bl, error)) {
ldout(cct, 0) << __func__ << " failed to encrypt authorizer: " << error << dendl;
return false;
}
decode(t, iter2);
}
+template <typename T>
+void decode_decrypt_enc_bl(CephContext *cct, T& t, const CryptoKey& key,
+ uint32_t usage, const ceph::buffer::list& bl_enc,
+ std::string &error)
+{
+ uint64_t magic;
+ ceph::buffer::list bl;
+
+ if (key.decrypt_ext(cct, usage, bl_enc, bl, &error) < 0) {
+ error = "decryption failed";
+ return;
+ }
+
+ auto iter2 = bl.cbegin();
+ __u8 struct_v;
+ using ceph::decode;
+ decode(struct_v, iter2);
+ decode(magic, iter2);
+ if (magic != AUTH_ENC_MAGIC) {
+ std::ostringstream oss;
+ oss << "bad magic in decode_decrypt, " << magic << " != " << AUTH_ENC_MAGIC;
+ error = oss.str();
+ return;
+ }
+
+ decode(t, iter2);
+}
+
template <typename T>
void encode_encrypt_enc_bl(CephContext *cct, const T& t, const CryptoKey& key,
ceph::buffer::list& out, std::string &error)
key.encrypt(cct, bl, out, &error);
}
+template <typename T>
+void encode_encrypt_enc_bl(CephContext *cct, const T& t, const CryptoKey& key,
+ uint32_t usage, ceph::buffer::list& out,
+ std::string &error)
+{
+ ceph::buffer::list bl;
+ __u8 struct_v = 1;
+ using ceph::encode;
+ encode(struct_v, bl);
+ uint64_t magic = AUTH_ENC_MAGIC;
+ encode(magic, bl);
+ encode(t, bl);
+
+ key.encrypt_ext(cct, usage, bl, out, &error);
+}
+
template <typename T>
int decode_decrypt(CephContext *cct, T& t, const CryptoKey& key,
ceph::buffer::list::const_iterator& iter, std::string &error)
return 0;
}
+template <typename T>
+int decode_decrypt(CephContext *cct, T& t, const CryptoKey& key,
+ uint32_t usage, ceph::buffer::list::const_iterator& iter,
+ std::string &error)
+{
+ ceph::buffer::list bl_enc;
+ using ceph::decode;
+ try {
+ decode(bl_enc, iter);
+ decode_decrypt_enc_bl(cct, t, key, usage, bl_enc, error);
+ }
+ catch (ceph::buffer::error &e) {
+ error = "error decoding block for decryption";
+ }
+ if (!error.empty())
+ return CEPHX_CRYPT_ERR;
+ return 0;
+}
+
template <typename T>
int encode_encrypt(CephContext *cct, const T& t, const CryptoKey& key,
ceph::buffer::list& out, std::string &error)
return 0;
}
+template <typename T>
+int encode_encrypt(CephContext *cct, const T& t, const CryptoKey& key,
+ uint32_t usage, ceph::buffer::list& out, std::string &error)
+{
+ using ceph::encode;
+ ceph::buffer::list bl_enc;
+ encode_encrypt_enc_bl(cct, t, key, usage, bl_enc, error);
+ if (!error.empty()){
+ return CEPHX_CRYPT_ERR;
+ }
+ encode(bl_enc, out);
+ return 0;
+}
+
template <typename T>
int encode_hash(CephContext *cct, const T& t, const CryptoKey& key,
ceph::buffer::list& out, std::string &error)
projects / ceph-ci.git / commitdiff